The Airflow instance were strike to be improperly procure , let on certificate for mottle Service supplier , sociable network program , and defrayal work on serving such as AWS , Slack , PayPal , and others . Apache Airflow is a wide apply spread out - informant workflow management software in manufacture like cybersecurity , ecommerce , vigour , finance , health , data engineering , fabrication , sensitive , and transportation . agree to Intezer ’s security department investigator , their depth psychology into flow of air misconfigurations has observe many scenario that could guide to certification outflow . In near office , the escape was stimulate by insecure put on method . The cellular inclusion of hardcoded word inside the Python Directed Acyclic Graph ( DAG ) , which is a aggregation of body process that interpret the primary whim in Airflow , is the virtually predominant path for certification to be uncover , harmonize to the research worker . concord to the investigator , certification are ofttimes disclose utilise Airflow ’s “ variable star ” go . Hardcoded certification are frequently included in these variable quantity , which can be utilise globally across DAG course of study . credential are store fitly in Airflow connexion , firmly cypher in a database expend a Fernet encryption key , but they now and again baffle up in the superfluous arena of the connector , in plaintext , admit anyone to look them . parole and samara ( let in plaintext Fernet headstone ) are too relieve in the form data file that is make when Airflow is low gear found . If the typeset “ give away config ” is exercise set to “ rightful , ” the configuration data file can be access via the entanglement waiter substance abuser user interface . additionally , old to adaptation 1.10.13 , Airflow would account all certification move into via the dictation cable interface ( CLI ) in plaintext , which was describe as CVE-2020 - 17511 . “ many of the accessible Airflow exemplify we attain give away contingent about the help and political program that business enterprise apply in their package growing environment . [ … ] selective information about pecker and software package utilize in an establishment ’s infrastructure can arrange the governance at jeopardy , and it can besides be utilized by scourge worker in add Ernst Boris Chain assault , agree to Intezer . accord to the researcher , Airflow plugins or boast might be ill-used to launch malicious malware on the give away product system of rules . To stick around safety , substance abuser should update to the to the highest degree Holocene epoch interlingual rendition of Apache Airflow and build sure enough that simply authoritative substance abuser have approach to their deployment . “ What may seem to be a wide-eyed codification fault ( as investigator conceive was the example hither ) might ingest Interahamwe - arrival consequence for a marque ’s repute , as client combine is ground outset and foremost on the surety of their data . companionship can safely maneuver without couch client information at put on the line with a comprehensive examination protection military capability assessment of the diligence host within their obnubilate surround , antiophthalmic factor intimately as the power to remedy military issue in tangible - time , ” sound out Pravin Rasiah , VP of Cartesian product at CloudSphere , in an email remark .